xworm | 5fd43513f6196f17bc0c00e9e08653f4812311c7a737a60257188c6fe23893db

Analysis

max time kernel
94s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ny mapp (11).zip
Size

28.6MB
MD5

8ec6bd395828d1f517d5e2e11bc3e3a3
SHA1

9a33448db0dec4ea2c278d6ca31d315e0a892fb4
SHA256

5fd43513f6196f17bc0c00e9e08653f4812311c7a737a60257188c6fe23893db
SHA512

e17c8bc4cf3a0c1f4535773787b5d5f123849252771d0b516773819f5822be818b06166993029e00697deee00e8778db30cdee1db86a3bc776658d0903e50b70
SSDEEP

786432:7QGi8g5jO9/6yG7U1LVAzQIsiCnVmHzhRDBGmkltmUkw:TiPjoiyMoRA5svnIhRDBpumUL

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

jrutcxTxqD08SKSB

Attributes

Install_directory
%ProgramData%
install_file
OneDrive.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000500000001ad9a-247.dat	family_xworm
behavioral1/files/0x000500000001ade4-252.dat	family_xworm
behavioral1/files/0x000500000001c31e-257.dat	family_xworm
behavioral1/memory/1044-260-0x0000000000A90000-0x0000000000AB8000-memory.dmp	family_xworm
behavioral1/memory/3068-258-0x0000000000B00000-0x0000000000B2E000-memory.dmp	family_xworm
behavioral1/memory/1916-261-0x0000000000C70000-0x0000000000C9C000-memory.dmp	family_xworm
behavioral1/memory/1456-693-0x0000000000810000-0x000000000083E000-memory.dmp	family_xworm
behavioral1/memory/672-694-0x0000000000370000-0x0000000000398000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe
2660	powershell.exe
1208	powershell.exe
1692	powershell.exe
824	powershell.exe
2828	powershell.exe
2200	powershell.exe
2064	powershell.exe
2148	powershell.exe
1724	powershell.exe
2616	powershell.exe
1716	powershell.exe

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 5 IoCs

pid	Process
1980	Xworm V6.0.exe
1044	OneDrive.exe
3068	msedge.exe
1916	Chrome Update.exe
1908	Xworm V5.6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
10	pastebin.com
11	pastebin.com
6	pastebin.com
7	pastebin.com
8	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1000	schtasks.exe
1104	schtasks.exe
2864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2064	powershell.exe
2148	powershell.exe
2104	powershell.exe
2660	powershell.exe
1724	powershell.exe
2616	powershell.exe
1208	powershell.exe
1692	powershell.exe
1716	powershell.exe
824	powershell.exe
2828	powershell.exe
2200	powershell.exe
3068	msedge.exe
1916	Chrome Update.exe
1044	OneDrive.exe
2700	chrome.exe
2700	chrome.exe
1044	OneDrive.exe
1044	OneDrive.exe
1044	OneDrive.exe
1044	OneDrive.exe
1916	Chrome Update.exe
1916	Chrome Update.exe
1916	Chrome Update.exe
1916	Chrome Update.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
1044	OneDrive.exe
1044	OneDrive.exe
1916	Chrome Update.exe
1916	Chrome Update.exe
3068	msedge.exe
3068	msedge.exe
1044	OneDrive.exe
1044	OneDrive.exe
1916	Chrome Update.exe
1916	Chrome Update.exe
3068	msedge.exe
3068	msedge.exe
1044	OneDrive.exe
1044	OneDrive.exe
1916	Chrome Update.exe
1916	Chrome Update.exe
3068	msedge.exe
3068	msedge.exe
1044	OneDrive.exe
1044	OneDrive.exe
1916	Chrome Update.exe
1916	Chrome Update.exe
3068	msedge.exe
3068	msedge.exe
1044	OneDrive.exe
1044	OneDrive.exe
1916	Chrome Update.exe
1916	Chrome Update.exe
3068	msedge.exe
3068	msedge.exe
1044	OneDrive.exe
1044	OneDrive.exe
1916	Chrome Update.exe
1916	Chrome Update.exe
3068	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2396	7zFM.exe
1044	OneDrive.exe
1916	Chrome Update.exe
3068	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2396	7zFM.exe
Token: 35	2396	7zFM.exe
Token: SeSecurityPrivilege	2396	7zFM.exe
Token: SeDebugPrivilege	3068	msedge.exe
Token: SeDebugPrivilege	1044	OneDrive.exe
Token: SeDebugPrivilege	1916	Chrome Update.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	3068	msedge.exe
Token: SeDebugPrivilege	1916	Chrome Update.exe
Token: SeDebugPrivilege	1044	OneDrive.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2396	7zFM.exe
2396	7zFM.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3068	msedge.exe
1916	Chrome Update.exe
1044	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1044	1980	Xworm V6.0.exe	34
PID 1980 wrote to memory of 1044	1980	Xworm V6.0.exe	34
PID 1980 wrote to memory of 1044	1980	Xworm V6.0.exe	34
PID 1980 wrote to memory of 3068	1980	Xworm V6.0.exe	35
PID 1980 wrote to memory of 3068	1980	Xworm V6.0.exe	35
PID 1980 wrote to memory of 3068	1980	Xworm V6.0.exe	35
PID 1980 wrote to memory of 1916	1980	Xworm V6.0.exe	36
PID 1980 wrote to memory of 1916	1980	Xworm V6.0.exe	36
PID 1980 wrote to memory of 1916	1980	Xworm V6.0.exe	36
PID 1980 wrote to memory of 1908	1980	Xworm V6.0.exe	37
PID 1980 wrote to memory of 1908	1980	Xworm V6.0.exe	37
PID 1980 wrote to memory of 1908	1980	Xworm V6.0.exe	37
PID 1916 wrote to memory of 2148	1916	Chrome Update.exe	38
PID 1916 wrote to memory of 2148	1916	Chrome Update.exe	38
PID 1916 wrote to memory of 2148	1916	Chrome Update.exe	38
PID 3068 wrote to memory of 2064	3068	msedge.exe	39
PID 3068 wrote to memory of 2064	3068	msedge.exe	39
PID 3068 wrote to memory of 2064	3068	msedge.exe	39
PID 1044 wrote to memory of 2104	1044	OneDrive.exe	42
PID 1044 wrote to memory of 2104	1044	OneDrive.exe	42
PID 1044 wrote to memory of 2104	1044	OneDrive.exe	42
PID 3068 wrote to memory of 1724	3068	msedge.exe	44
PID 3068 wrote to memory of 1724	3068	msedge.exe	44
PID 3068 wrote to memory of 1724	3068	msedge.exe	44
PID 1044 wrote to memory of 2616	1044	OneDrive.exe	46
PID 1044 wrote to memory of 2616	1044	OneDrive.exe	46
PID 1044 wrote to memory of 2616	1044	OneDrive.exe	46
PID 1916 wrote to memory of 2660	1916	Chrome Update.exe	47
PID 1916 wrote to memory of 2660	1916	Chrome Update.exe	47
PID 1916 wrote to memory of 2660	1916	Chrome Update.exe	47
PID 3068 wrote to memory of 1208	3068	msedge.exe	50
PID 3068 wrote to memory of 1208	3068	msedge.exe	50
PID 3068 wrote to memory of 1208	3068	msedge.exe	50
PID 1916 wrote to memory of 1692	1916	Chrome Update.exe	52
PID 1916 wrote to memory of 1692	1916	Chrome Update.exe	52
PID 1916 wrote to memory of 1692	1916	Chrome Update.exe	52
PID 1044 wrote to memory of 1716	1044	OneDrive.exe	54
PID 1044 wrote to memory of 1716	1044	OneDrive.exe	54
PID 1044 wrote to memory of 1716	1044	OneDrive.exe	54
PID 1044 wrote to memory of 824	1044	OneDrive.exe	56
PID 1044 wrote to memory of 824	1044	OneDrive.exe	56
PID 1044 wrote to memory of 824	1044	OneDrive.exe	56
PID 1916 wrote to memory of 2828	1916	Chrome Update.exe	58
PID 1916 wrote to memory of 2828	1916	Chrome Update.exe	58
PID 1916 wrote to memory of 2828	1916	Chrome Update.exe	58
PID 3068 wrote to memory of 2200	3068	msedge.exe	60
PID 3068 wrote to memory of 2200	3068	msedge.exe	60
PID 3068 wrote to memory of 2200	3068	msedge.exe	60
PID 3068 wrote to memory of 1104	3068	msedge.exe	62
PID 3068 wrote to memory of 1104	3068	msedge.exe	62
PID 3068 wrote to memory of 1104	3068	msedge.exe	62
PID 1044 wrote to memory of 2864	1044	OneDrive.exe	64
PID 1044 wrote to memory of 2864	1044	OneDrive.exe	64
PID 1044 wrote to memory of 2864	1044	OneDrive.exe	64
PID 1916 wrote to memory of 1000	1916	Chrome Update.exe	66
PID 1916 wrote to memory of 1000	1916	Chrome Update.exe	66
PID 1916 wrote to memory of 1000	1916	Chrome Update.exe	66
PID 1908 wrote to memory of 2436	1908	Xworm V5.6.exe	68
PID 1908 wrote to memory of 2436	1908	Xworm V5.6.exe	68
PID 1908 wrote to memory of 2436	1908	Xworm V5.6.exe	68
PID 2700 wrote to memory of 2652	2700	chrome.exe	71
PID 2700 wrote to memory of 2652	2700	chrome.exe	71
PID 2700 wrote to memory of 2652	2700	chrome.exe	71
PID 2700 wrote to memory of 2608	2700	chrome.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Ny mapp (11).zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2396

C:\Users\Admin\Desktop\New folder\Xworm V6.0.exe
"C:\Users\Admin\Desktop\New folder\Xworm V6.0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2864
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1104
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1000
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1908 -s 732
    3⤵
    PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef08c9758,0x7fef08c9768,0x7fef08c9778
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:2
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:8
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1180 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:2
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1636 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:1
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3764 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3808 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3708 --field-trial-handle=1236,i,11747577844530943986,11954862062296612308,131072 /prefetch:1
  2⤵
  PID:2212

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2296

C:\Windows\system32\taskeng.exe
taskeng.exe {AF887563-ADE8-40AA-B9FE-1064E9F56074} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:1252
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  PID:672
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7f567722-1be5-4922-b3e0-32e971711467.tmp

Filesize
8KB

MD5
d97275370905976ef58de1f107337e8c

SHA1
b5774907da8e482cd3c47114e8a6e20fa6192b4f

SHA256
e808e12e3845448a1cec61bc5724b45dfbe71b24b3499e8149f253c9b45430c7

SHA512
b4b23fd922ff1baa7b45a115bfd94a88272ce5010d2162f0cc5b537b1b79144e88480102816b602a7d6388981f76cc7c5cc65532330fcf1dbed770de87f30947

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
044d9d13106f7d4c64d8a1ba4203b8e8

SHA1
4aaf77565c996833bae0e49e4152ea7a72f0d742

SHA256
6d19170fb8d01b1cde929e600f59df018a262531130482f8984c39e77fff650b

SHA512
17fffa23dd7972caba46540f4278e5ebd39616dd71b95aa1bc11798f1976d9edb6d3c30eabe97e87c43bb7613a16477b9580f619f38fc91c1271748c56ce4f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
117B

MD5
2426b61e7288d67e8a082780685695f3

SHA1
93ebf4986e940a753df7941f38cf5d704dda2d8c

SHA256
be02d00d2059ee7eae73ea5c83e2213dbac3f63814c7c18b17647e0767b64d67

SHA512
034c52427a1a379cc95990e140addfa187ddec68a096ee6d8b61d0d48e3027aa80b1eb152ce0784ff9b6dd07cb0c97ada86bc7bf6523e1894eb53bfa0e459d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
120B

MD5
a10e9857db32761e77acb7d3fbef8fb2

SHA1
87e8fc2110906292760cfb313ba98a7e3bb26255

SHA256
035a5cd0e1f7f44011141a32eccbaa88f7b338e22738b8e3f8039662e0648bda

SHA512
e74980eafbf2dc8d3f266bb2d4225b335895cc5441b5038c1a87a3d72727cb9b2951ce7c8d1613fcad3a03bc0621a2f95f1b5c46a6d47cd55540f5f17f52a6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
123B

MD5
64fe98853c5acaac86be924012758ffd

SHA1
fca18b4b9a4c6aa708271406465555c38d73e0d2

SHA256
daa873e7fdff70dec248edb84a062657dc8fb258e75838629c28f3fddb7607a5

SHA512
8af05785e82c3072074a3957ffbae833f641daa09170a7e3ed8f82adb4c0ed6b6a6cef18d1cfcdbb97cced9b8dc75ac6ff482af01840f68f862bb525a464bbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
126B

MD5
4ee3278c2c8dd1e71ec23dfa3e2ac987

SHA1
745bbe91a59ca1ae042a8bfee63ab96e305fe6ff

SHA256
277f09f7922867f3095d04c63b298deaac1f1b02f84a75f20790c5ca8255a093

SHA512
8b1cac41dc9865405ad71d22660336ec6c8e73b2b5cc1d1ace53d0266a6685a479877fff2c47b7f415d5e45ad641a40a67d73a5eccdc4cd3936a9afaaad0c7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
129B

MD5
aa5a9d460398259919067efd60010ee6

SHA1
998853abe8194fca970dc3e011b28199ecacb1a4

SHA256
22bbc62ad6e64c7b9ea38d6369300100d57073f8d94261c82990030ca6ad691b

SHA512
3ebf9cbb2ffc43a5ca6ebe69fa119df353396dd195a5e2bc22db4fd4e7bc200768731e71fd459d7037ca8db22e7f8b241dd506494843f66abdc51d06601919e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
132B

MD5
ebb01c6c0b6b8cfb04be14ab8bad5414

SHA1
293791654af81f2a2c0561c8046f2b020091d898

SHA256
bf582ec53b6f1fd7e892ae5500cd4aba3bdcde66292384b522b6f6da3bc1aa40

SHA512
55f8096ea29b88425dcda6fdf0b6842fb7282c083ee84d0a4f2fee4c73ce72de21c6f5100bb683cf51813f5f3fd1cd0ea3ee61b7a76e2ca19d774531e91a4a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
134B

MD5
6bedaad180db23e0a495060af745dc40

SHA1
aa0e5065ea0af7ca392670d62b65ac39a4c79848

SHA256
8e3c87c8ff28764f902196e5ca6b1dc46e1c791c3c91550d4be577ba52502eb6

SHA512
9d4f94c5dd48ae2cb22ee85ad6770c17d8ded7a44cf2b423d96dcc47b67699aa54496c55f15e1791da42b95ef2a92aac15a961872554bc6b76ecc4cde1e1977e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
135B

MD5
5cd3ad00e3b08653c65f51e163ebeb56

SHA1
58bfe38aadc90a756ba9e799a5858fe75e93f53f

SHA256
d521ef96ac2d3571191737f136eed815c17adb6726bda067a641347f38a27f30

SHA512
f4c27f843c045db6d4efc83fb75407dda62010f627968e9471eed72f4ebfc760904c998b5932e48bf4b7bef1813bc9c59f971703f7436836a39ed446591588d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
138B

MD5
0bdb31f7546008f253ec396a6907fc35

SHA1
795695b750fd0ba67d5ab21b7fbc2251b5dd27cb

SHA256
5653e02e73a1dd733f60a402a25712c1eeae69f08cf469dcf4394d1b76073d9d

SHA512
818466705e67669dbafa91323433f2684c2464b12298fc00ea9668c51b7b2c4b8ec4dfc81d44ba1e77b62ba6eb2e80368f1059d58489ada2b5355d87d8544e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
141B

MD5
e2dbb8fdaa70e0b34718ca11cc125293

SHA1
6b416cfc0bf09d44bf4bc9b645f0f5b2afea725d

SHA256
528bbf2d8a57d2837254df7e02239b4172268290ef793139e80bf6bc1036b631

SHA512
8096fca5aef31ec683a1dc78217dd48e8558f719c0e6ec9388ff193097c75543d0b3e74eb2b9291cb09250c9aa58be08a979b5da667181a3ce0c72e6ed100524

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
514875456e0d5eabe8893bd54d0af92f

SHA1
cd3fdfe07c21ea244c793033b53df7641f631808

SHA256
0e5fd5b6c3918e5798d2f919fcabc395e568681ebaf6312124772f749d4deb6e

SHA512
7190d606ffaeed985c62c54d6b33e2da7a66aa734a2a6cff1e12ffd3c204076f047d97b79f8b89e62ccc708532f5356527b41b88cb6f68ff0a3968c5244474cd

Download Submit
C:\Users\Admin\Desktop\New folder\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Desktop\New folder\Xworm V6.0.exe

Filesize
15.5MB

MD5
fae9f588f8bf2ea148c92de1083eb8a2

SHA1
8103ee4ad2ba5c5ab6fafa80fbc536646fdabaa9

SHA256
54e8a0545faac8f1de60cfacd3baf32135ee0a2b296f5ff36a0bd4a87abe1394

SHA512
f05ddbcc784d3903e3d151155060a6fccbda672c183c2b71d7601e7c16579ff225a00156d3203ee3990b6a19cce7022644352f3db8b5b862928d6b3b0034ec0e

Download Submit
C:\Users\Admin\Desktop\New folder\Xworm V6.0.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
memory/672-694-0x0000000000370000-0x0000000000398000-memory.dmp

Filesize
160KB

Download
memory/1044-260-0x0000000000A90000-0x0000000000AB8000-memory.dmp

Filesize
160KB

Download
memory/1456-693-0x0000000000810000-0x000000000083E000-memory.dmp

Filesize
184KB

Download
memory/1724-294-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1908-267-0x00000000000C0000-0x0000000000FA8000-memory.dmp

Filesize
14.9MB

Download
memory/1916-261-0x0000000000C70000-0x0000000000C9C000-memory.dmp

Filesize
176KB

Download
memory/1980-243-0x0000000001330000-0x00000000022B0000-memory.dmp

Filesize
15.5MB

Download
memory/2064-277-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2148-283-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2660-296-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/3068-258-0x0000000000B00000-0x0000000000B2E000-memory.dmp

Filesize
184KB

Download